Modeling of information security management parameters in Indian organizations using ISM and MICMAC approach

Journal of Modelling in Management

Volumn 8, Issue 2, 2013, Pages 171-189

  Chander, Muktesh ^a   Jain, Sudhir K ^a   Shankar, Ravi ^a  

^a INDIAN INSTITUTE OF TECHNOLOGY DELHI   (India)

Author keywords

India; Information security; Information security management; Interpretive Structural Modelling (ISM); Key variables; MICMAC; Organizations

Indexed keywords

EID: 84910122222     PISSN: 17465664     EISSN: 17465672     Source Type: Journal    
DOI: 10.1108/JM2-10-2011-0054     Document Type: Article

References (70)

1. Al-Awadi, M. (2009), “A study of employees' attitudes towards organizational information security policies in the UK and Oman”, PhD thesis, University of Glasgow, Glasgow.
2. Alkaff, A.S. (2009), “Case studies show value of ISO/IEC 27001 conformity”, ISO Management Systems, January/February, pp. 33-38.
3. Arcade, J., Godet, M., Meunier, F. and Roubelat, F. (2003), Structural Analysis with MICMAC Method & Actors' Strategy with MACTOR Method, available at: www.agriperi.ir/AKHBAR/cd1/FORESIGHT%20METHODOLOGY%20&%20FORECASTING/FORESIGHT%20METHODOLOGY/related%20articles/books/Future%20Research%20Methodology/4-stranal.pdf.
4. Australia (2009), “Cyber security strategy”, available at: www.ag.gov.au/www/agd/rwpattach.nsf/VAP/%284CA02151F94FFB778ADAEC2E6EA8653D%29∼AG+Cyber+Security+Strategy+-+ for+website.pdf/$file/AG+Cyber+Security+Strategy+-+for+website.pdf.
5. Avolio, F.M. (2000), “Best practices in network security”, Network Computing, Vol. 60 No. 20.
6. Belasco, K. and Wan, S.-P. (2006), “Online retail banking: security concerns, breaches and controls”, Handbook of Information Security, Vol. 3, Wiley, Hoboken, NJ, p. 43.
7. Berends, A.J. (2007), “Dealing with information loss”, Masters thesis, available at: www.tbm.tudelft.nl/fileadmin/Faculteit/TBM/Over_de_Faculteit/Afdelingen/Afdeling_Infrastructure_Systems_and_Services/Sectie_Informatie_en_Communicatie_Technologie/medewerkers/jan_van_den_berg/news/doc/arjen-berends.pdf.
8. Björck, F. (2001), Implementing Information Security Management Systems – An Empirical Study of Critical Success Factors, available at: http://people.dsv.su.se/∼bjorck/files/success-factors.pdf.
9. CERT (2009), CERT Research Annual Report 2009, available at: www.cert.org/research/2009research-report.pdf.
10. CSO (2010), Cyber Security Watch Survey Results, available at: www.csoonline.com/documents/pdfs/2010CyberSecurityResults.pdf.
11. Dhillon, G. (1997), Managing Information System Security, Macmillan, Basingstoke.
12. Draft ISO Guide 83 (2011), High Level Structure and Identical Text for Management System Standards and Common Core Management System Terms and Definitions, ISO, Geneva.
13. Englesman, W. (2007), “Information assets and their value”, available at: http://referaat.cs.utwente.nl/new/paper.php?paperID=186.
14. ENISA (2009), The Growing Requirement for Information Security Awareness, available at: www.enisa.europa.eu/act/ar/deliverables/2009/ar-book-09/at_download/fullReport.
15. Estonia (2008), “Cyber security strategy”, available at: www.mod.gov.ee/files/kmin/img/files/Kuberjulgeoleku_strateegia_2008-2013_ENG.pdf.
16. Gallaher, M.P., Link, A.N. and Rowe, B.R. (2008), Cyber Security: Economic Strategies and Policy Alternatives, Edward Elgar, Cheltenham, pp. 41-55.
17. Germany (2008), Information Security Audit (IS Audit) – A Guideline for IS Audits Based on IT-Grundschutz, available at: www.bsi.bund.de/cae/servlet/contentblob/471376/publicationFile/27987/guideline-isrevision_pdf.pdf.
18. Godet, M. (1993), From Anticipation to Action: A Handbook of Strategic Prospective, UNESCO Publishing, Paris.
19. Harary, F., Norman, R.Z. and Cartwright, D. (1965), Structural Models: An Introduction to the Directed Graphs, Wiley, New York, NY.
20. Harris, S. (2010), All in One CISSP Exam Guide, 5th ed., Tata McGraw-Hill Education, Noida.
21. Herath, T. and Rao, H.R. (2009), “Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness”, Decision Support Systems, Vol. 47 No. 2, pp. 154-165.
22. Homeland Security (2008), Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development, available at: www.us-cert.gov/ITSecurityEBK/EBK2008.pdf.
23. Hong, K.-S., Chi, Y.-P., Chao, L.R. and Tang, J.-H. (2006), “An empirical study of information security policy on information security elevation in Taiwan”, Information Management & Computer Security, Vol. 14 No. 2, pp. 104-115.
24. Hoo, K.J.S. (2000), How Much is Enough? A Risk-Management Approach to Computer Security, Center for International Security and Cooperation (CISAC), Stanford, CA.
25. ISO/IEC 27001 (2005), Information Technology – Security Techniques-Information Security Management Systems – Requirements, ISO, Geneva.
26. ISO/IEC 27001 (2009), Information Technology – Security Techniques – Information Security Management Systems – Overview and Vocabulary, ISO, Geneva.
27. ISO/IEC 27002 (2005), Information Technology – Security Techniques – Code of Practice for Information Security Management, ISO, Geneva.
28. ISO/IEC 27005 (2011), Information Technology – Security Techniques – Information Security Risk Management, ISO, Geneva.
29. ISO/IEC 27035 (2011), Information Technology – Security Techniques – Information Security Incident Management, ISO, Geneva.
30. ISO/IEC 31000 (2009), Risk Management – Principles and Guidelines, ISO, Geneva.
31. ISO/IEC 31010 (2009), Risk Management – Risk Assessment Techniques, ISO, Geneva.
32. Johnson, M.E. and Goetz, E. (2007), “Embedding information security into the organization”, IEEE Security and Privacy, May/June, pp. 16-24.
33. Kajava, J., Anttila, J., Varonen, R., Savola, R. and Roning, J. (2006), “Senior executives commitment to information security-from motivation to responsibility”, Proceedings of International Conference, CIS 2006, Guangzhou, China, November 3-6.
34. Kankanhalli, A., Teo, H.-H., Tan, B.C.Y. and Wei, K.-K. (2003), “An integrative study of information systems security effectiveness”, International Journal of Information Management, pp. 139-154.
35. Knapp, K.J., Marshall, T.E., Rainer, R.K. and Morrow, D.W. (2006), “The top information security issues facing organizations: what can government do to help?”, Information Systems Security, Vol. 15 No. 4, pp. 51-58.
36. Kumar, A. (2009), “Case studies show value of ISO/IEC 27001 conformity”, ISO Management Systems, January/February, pp. 33-38.
37. Lim, J.S., Chang, S., Maynard, S. and Ahmad, A. (2009), “Exploring the relationship between organizational culture and information security culture”, Proceedings of the 7th Australian Information Security Management Conference.
38. McAfee (2011), Risk and Compliance Outlook, available at: www.mcafee.com/us/resources/reports/rp-risk-compliance-outlook-2011.pdf.
39. Ma, Q. and Pearson, J.M. (2005), “ISO 17799: best practices in information security management?”, Communications of the AIS, Vol. 15, pp. 577-591.
40. MIT (2011), Discussion Draft on National Cyber Security Policy, Department of Information Technology, Ministry of Communications and Information Technology Government of India, available at: www.mit.gov.in/sites/upload_files/dit/files/ncsp_060411.pdf.
41. Moore, C.M. (1994), Group Techniques for Idea Building, Sage, Beverly Hills, CA.
42. NICE (2010), National Initiative for Cyber Security Education, available at: www.whitehouse.gov/sites/default/files/rss_viewer/cybersecurity_niceeducation.pdf.
43. NIST (1996), Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST 800-14, available at: http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf.
44. NIST (2002), Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, available at: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.
45. NIST (2006a), Guide for Developing Performance Metrics for Information Security, NIST Special Publication 800-80, available at: http://permanent.access.gpo.gov/lps72067/draft-sp800-80-ipd.pdf.
46. NIST (2006b), Information Security Handbook: A Guide for Managers, NIST Special Publication 800-100, available at: http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf.
47. NIST (2008), Performance Measurement Guide to Information Security, NIST Special Publication 800-55, Revision 1, available at: http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf.
48. NIST (2009), Recommended Security Controls for Federal Information Systems and Organizations, NIST Special Publication 800-53, Revision 3, available at: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf.
49. NIST (2011), Managing Information Security Risk, NIST Special Publication 800-39, available at: http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf.
50. OECD (2002), OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, available at: www.oecd.org/dataoecd/16/22/15582260.pdf.
51. Parker, D.B. (2002), Motivating the Workforce to Support Security Objectives: A Long-Term View, available at: www.iwar.org.uk/comsec/resources/sa-tools/Motivation-for-Information-Security.pdf.
52. Ramachandran, S., Srinivasan, V.R. and Tim, G. (2008), “Information security cultures of four professions: a comparative study”, Proceedings of the 41st Hawaii International Conference on System Sciences – 2008, Hawaii.
53. Sage, A.P. (1976), Methodology for Large Scale Systems, McGraw-Hill, New York, NY.
54. Sami, A.-Z. (2006), “Success factors of information security management: a comparative analysis between Jordanian and Finnish companies”, available at: www.pafis.shh.fi/graduates/samabu04.pdf.
55. Saxena, J.P., Sushil and Vrat, P. (2006), Policy and Strategy Formulation: An Application of Flexible Systems Methodology, GIFT Publishing, Delhi.
56. Schjolberg, S. and Ghernaouti-Hélie, S. (2011), A Global Treaty on Cybersecurity and Cybercrime, 2nd ed., available at: www.cybercrimelaw.net/documents/A_Global_Treaty_on_Cybersecurity_and_Cybercrime,_Second_edition_2011.pdf.
57. Sharma, H.D., Gupta, A.D. and Sushil (1995), “The objectives of waste management in India: a future inquiry”, Tech. Forecast. & Social Change, Vol. 48, pp. 285-309.
58. Singh, M.D. and Kant, R. (2008), “Knowledge management barriers: an interpretive structural modeling approach”, International Journal of Management Science and Engineering Management, Vol. 3 No. 2, pp. 141-150.
59. Siponen, T. (2000), “A conceptual foundation for organizational information security awareness”, Information Management & Computer Security, Vol. 8 No. 1, pp. 31-41.
60. Symantec (2011), Symantec Security Check – Indian Financial Services Industry 2011, available at: www.symantec.com/content/en/in/enterprise/collateral/other_resources/MediaPresentation_SymantecSecurityCheck_Indian%20FinancialServices_SurveyFindings_August18.pdf.
61. Thomson, K.-L. and von Solms, R. (2005), “Information security obedience: a definition”, Computers & Security, Vol. 24, pp. 69-75.
62. Trček, D. (2006), Managing Information Systems Security and Privacy, Springer, Berlin.
63. Tudor, J.K. (2001), IS Security Architecture, An Integrated Approach to Security in the Organization, Auerbach Publications, Boca Raton, FL.
64. UK (2009), Cyber Security Strategy of the United Kingdom: Safety, Security and Resilience in Cyber Space, available at: www.cabinetoffice.gov.uk/media/216620/css0906.pdf.
65. Vaish, A. and Varma, S. (2010), “Parameter extraction for measurement of the effective information security management – statistical analysis”, International Journal of Computer and Electrical Engineering, Vol. 2 No. 4, pp. 1793-8163.
66. Von Solms, B. (2006), “Information security-the forth wave”, Computers & Security, Vol. 25, pp. 165-168.
67. Von Solms, B. and Von Solms, R. (2004), “The 10 deadly sins of information security management”, Computer & Security, Vol. 23 No. 3, pp. 191-198.
68. Warfield, J.N. (1990), A Science of Generic Design: Managing Complexity Through System Design, Vol. I/II, International Systems, Salinas, CA.
69. Warfield, J.W. (1974), “Developing interconnected matrices in structural modeling”, IEEE Transactions on Systems Men and Cybernetics, Vol. 4 No. 1, pp. 51-81.
70. Wright, C. (2008), The IT Regulatory and Standards Compliance Handbook, Syngress Publishing, Inc., Boston, MA.